Closed prashanthpulisetti closed 1 month ago
Unfortunately the rule in its current state doesn't work.
The fix for the vulnerability is in the builds 7.0.0.18899 and 8.0.0.19236 which start with 7.0 and 8.0 respectively so both the fixed and vulnerable versions of Veeam Service Provider Console will be triggering this.
Also for version 5 and 6. Both have reached end of fix (see this). And assuming a fix is provided for those with support, it'll also be released in a minor builds). So we can't use those as well.
And since version comparison is hard in most SIEMs (i.e you can't use the "lt" / "gt" modifiers here).
Detecting this via this method is not a super viable option. (Best leave this to other tooling in the env such as vuln or inventory management tools as an example).
Closing this PR for now. If you have another method feel free to open a PR
Detection of Veeam Service Provider Console Vulnerability (CVE-2024-29212)
References: https://www.veeam.com/kb4575 https://www.helpnetsecurity.com/2024/05/08/cve-2024-29212/
Raw Logs: